August 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #43 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2018:2419 https://access.redhat.com/errata/RHSA-2018:2419 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
0
0 / 0

[Bug 1572416] New: CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1572416 Bug ID: 1572416 Summary: CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: abergmann(a)suse.com, aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, bkearney(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, ggainey(a)redhat.com, gvarsami(a)redhat.com, hghasemb(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lpetrovi(a)redhat.com, mat.booth(a)redhat.com, meissner(a)suse.de, nwallace(a)redhat.com, paradhya(a)redhat.com, pavelp(a)redhat.com, pszubiak(a)redhat.com, puntogil(a)libero.it, rhel8-maint(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, vhalbert(a)redhat.com Apache Tika before version 1.18 has a command injection vulnerability in tika-server. A remote attacker could exploit this to execute arbitrary commands via crafted headers. External References: https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b268... -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
16
0 / 0

[Bug 1540030] New: CVE-2017-8030 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1540030 Bug ID: 1540030 Summary: CVE-2017-8030 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, apevec(a)redhat.com, chazlett(a)redhat.com, chrisw(a)redhat.com, dchen(a)redhat.com, etirelli(a)redhat.com, gvarsami(a)redhat.com, hchiorea(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jjoyce(a)redhat.com, jolee(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, kbasil(a)redhat.com, kconner(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com, markmc(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, nwallace(a)redhat.com, nyechiel(a)redhat.com, paradhya(a)redhat.com, pavelp(a)redhat.com, pszubiak(a)redhat.com, puntogil(a)libero.it, rbryant(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sclewis(a)redhat.com, sdaley(a)redhat.com, sisharma(a)redhat.com, slinaber(a)redhat.com, tcunning(a)redhat.com, tdecacqu(a)redhat.com, tkirby(a)redhat.com, vhalbert(a)redhat.com Spring Framework and Spring Security do not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint and access Spring MVC static resource URLs. Affected versions include: * Spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3 and 5.0 * Spring Framework 4.3.0 - 4.3.14, and 5.0.0 - 5.0.2 Older unmaintained versions of Spring Security and Spring Framework may also be affected. Upstream Advisory: https://pivotal.io/security/cve-2017-8030 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
32
0 / 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution

by bugzilla＠redhat.com

5 years, 8 months

1
0
0 / 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution

by bugzilla＠redhat.com

5 years, 8 months

1
0
0 / 0

[Bug 1474795] New: checkstyle-8.1 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1474795 Bug ID: 1474795 Summary: checkstyle-8.1 is available Product: Fedora Version: rawhide Component: checkstyle Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 8.1 Current version/release in rawhide: 8.0-1.fc27 URL: http://sourceforge.net/projects/checkstyle Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/275/ -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
14
0 / 0

[Bug 1592646] New: CVE-2018-1067 tomcat: undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1592646 Bug ID: 1592646 Summary: CVE-2018-1067 tomcat: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all] Product: Fedora Version: 28 Component: tomcat Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: ivan.afonichev(a)gmail.com Reporter: dmoppert(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, csutherl(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, me(a)coolsvap.net This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
4
0 / 0

[Bug 1604797] New: maven-doxia: FTBFS in Fedora rawhide

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1604797 Bug ID: 1604797 Summary: maven-doxia: FTBFS in Fedora rawhide Product: Fedora Version: rawhide Component: maven-doxia Assignee: mizdebsk(a)redhat.com Reporter: mboddu(a)bhujji.com QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, dbhole(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mefoster(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sochotni(a)redhat.com Blocks: 1602938 maven-doxia failed to build from source in Fedora rawhide https://koji.fedoraproject.org/koji/taskinfo?taskID=28200324 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Please fix maven-doxia at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, maven-doxia will be orphaned. Before branching of Fedora 30, maven-doxia will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://fedoraproject.org/wiki/Fails_to_build_from_source Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1602938 [Bug 1602938] (F29FTBFS) Fedora 29 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
4
0 / 0

[Bug 1516064] New: gradle-4.4.0-RC1 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1516064 Bug ID: 1516064 Summary: gradle-4.4.0-RC1 is available Product: Fedora Version: rawhide Component: gradle Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dan(a)danieljamesscott.org, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 4.4.0-RC1 Current version/release in rawhide: 4.3.1-1.fc28 URL: http://www.gradle.org/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/6088/ -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
21
0 / 0

[Bug 1576712] New: jenkins: Users with Overall/ Read permission were able to send GET requests to any URL (SECURITY-794)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1576712 Bug ID: 1576712 Summary: jenkins: Users with Overall/Read permission were able to send GET requests to any URL (SECURITY-794) Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful (HTTP 200) or not. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. External References: https://jenkins.io/security/advisory/2018-05-09/ -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 8 months

1
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits August 2018